1
00:00:00,390 --> 00:00:01,140
Welcome back.

2
00:00:01,380 --> 00:00:07,800
And right now, we are going to check out another tool that is used for generating payloads, and that

3
00:00:07,800 --> 00:00:09,720
tool is called Wael.

4
00:00:10,650 --> 00:00:15,450
Since it is not installed in clinics by default, we must install it first.

5
00:00:16,230 --> 00:00:23,030
To do that, you can open up your terminal, enter the account by typing in your password after the

6
00:00:23,040 --> 00:00:28,660
pseudo as you and then after it you want to type the command app, get installed.

7
00:00:29,370 --> 00:00:29,820
Well.

8
00:00:31,170 --> 00:00:36,600
Now, since I already have well installed, this will not do anything for me, but for you, it should

9
00:00:36,600 --> 00:00:41,460
start the process of installing well, and that process might take some time.

10
00:00:42,060 --> 00:00:44,910
However, running this command is only the first part.

11
00:00:45,310 --> 00:00:51,690
After this installation finishes, you can clear the screen and type well inside of your terminal.

12
00:00:52,500 --> 00:00:58,380
This will, for me, open up the world program, but for you it will continue the process of installation.

13
00:00:58,770 --> 00:01:05,460
So Will has a bunch of dependencies and once you run the app, get installed well and after it you run

14
00:01:05,460 --> 00:01:07,110
the real program for the first time.

15
00:01:07,440 --> 00:01:10,290
It will ask you to install those dependencies.

16
00:01:10,440 --> 00:01:11,390
You want to click there?

17
00:01:11,400 --> 00:01:11,790
Yes.

18
00:01:12,030 --> 00:01:14,550
And that process will also take some time.

19
00:01:14,850 --> 00:01:19,950
It will also have a bunch of pop up windows right here where you want to click on next, next, next,

20
00:01:19,950 --> 00:01:20,880
next on each one.

21
00:01:20,880 --> 00:01:22,860
You don't want to change any of those settings.

22
00:01:23,130 --> 00:01:28,170
And after all the installation has finished, you should have well up and running.

23
00:01:28,950 --> 00:01:29,790
OK, great.

24
00:01:30,180 --> 00:01:35,190
After get well up and running, we can see right here that we get two available tools.

25
00:01:35,430 --> 00:01:38,820
The first one is vision and the second one is audit.

26
00:01:39,300 --> 00:01:41,070
And what is this?

27
00:01:41,130 --> 00:01:45,980
Simply a program that will allow us to generate payloads similar to the MSF one.

28
00:01:46,470 --> 00:01:47,520
So let's give it a try.

29
00:01:47,670 --> 00:01:52,980
If I type, use one and you will notice that the comments are similar to the MSF council.

30
00:01:53,130 --> 00:01:57,570
So to use one of these options, you can just simply just use one or use two.

31
00:01:58,020 --> 00:02:02,430
And since I selected use evasion, as we can see, no one is Survation.

32
00:02:02,760 --> 00:02:07,770
It will tell me forty one payload loaded and these are our available comments.

33
00:02:07,950 --> 00:02:12,210
So we can read information, we can list the payloads, we can use some payload.

34
00:02:12,480 --> 00:02:15,030
So let us list our payload first.

35
00:02:16,160 --> 00:02:22,160
And here we can see those 41 Paillot, some of them are coated in Ruby, some of them are coated in

36
00:02:22,160 --> 00:02:22,620
Python.

37
00:02:22,880 --> 00:02:31,930
We have partial payloads, Purlie go six C sharp C payloads and we get some auxiliary modules as well.

38
00:02:32,780 --> 00:02:39,290
Now, the regular payload that we used in the Furnham would most likely be this same interpretor reverse

39
00:02:39,300 --> 00:02:40,120
DCP up.

40
00:02:40,130 --> 00:02:40,430
Why?

41
00:02:40,880 --> 00:02:42,650
It is pretty much the same thing.

42
00:02:43,250 --> 00:02:48,620
But since we already covered something similar to this inside of the NSF, let us go with a different

43
00:02:48,620 --> 00:02:49,550
payload this time.

44
00:02:49,830 --> 00:02:52,010
So let's go with the power shuttle payload.

45
00:02:52,910 --> 00:02:58,220
Let's select payload number twenty two, which is Power Shield Interpretor Reverse DCP so we can just

46
00:02:58,520 --> 00:02:59,750
use 22.

47
00:03:00,730 --> 00:03:06,010
And after you select the payload, it will give you all of the available options that you can set for

48
00:03:06,010 --> 00:03:08,800
that payload before you generate it and created.

49
00:03:09,830 --> 00:03:17,870
Here we can see the main hostname, our host local port, browser's mean, processor's mean, ram processers

50
00:03:17,870 --> 00:03:22,430
Sleepytime and these options you can use and change as you like.

51
00:03:22,520 --> 00:03:27,080
Some of them might actually help you bypass some of the anti viruses, such as, for example, this

52
00:03:27,080 --> 00:03:31,070
sleep option right here, sleep this amount of seconds.

53
00:03:31,070 --> 00:03:37,100
So whatever we set right here, that amount of seconds, our payload will sleep after execution before

54
00:03:37,100 --> 00:03:39,690
establishing the connection with our listener.

55
00:03:40,400 --> 00:03:42,220
So let's set that right away.

56
00:03:42,320 --> 00:03:45,130
Let's set sleep to be 20 seconds.

57
00:03:45,560 --> 00:03:46,940
What does this mean once again?

58
00:03:47,000 --> 00:03:51,670
Well, once the target executes, our program program will sleep for 20 seconds.

59
00:03:51,680 --> 00:03:53,000
It will not do anything.

60
00:03:53,000 --> 00:03:57,470
And then after 20 seconds, it will establish the connection with our listener.

61
00:03:58,330 --> 00:04:06,400
Another thing that we must set is the localhost, and for that we must know our IP address and it is

62
00:04:06,400 --> 00:04:12,460
not one that 12 go right here, typeset outpost 182, that 168 dot one the 12th.

63
00:04:13,600 --> 00:04:19,030
And if I type generate, as we can see by the available commands right here to generate the payload,

64
00:04:19,060 --> 00:04:21,460
we simply type generate press enter.

65
00:04:22,570 --> 00:04:27,670
Please enter the base name for the output files and let's call it our payload.

66
00:04:29,010 --> 00:04:35,280
Meaning a powerful political power click here, enter, and the payload has been created, we can see

67
00:04:35,280 --> 00:04:39,450
right here language powerful payload module is the one that we selected.

68
00:04:39,720 --> 00:04:42,780
Source code is written to this path right here.

69
00:04:42,780 --> 00:04:49,740
And we will notice that it is written inside of the dot that file and metastable it resource file written

70
00:04:49,740 --> 00:04:51,600
to this location right here.

71
00:04:51,750 --> 00:04:58,530
And the two things that we are interested in are these two things, the metals resource file and the

72
00:04:58,530 --> 00:04:59,250
source code.

73
00:05:00,130 --> 00:05:07,180
Now, this source code, which is not bad, is something that we want to convert to now, even though

74
00:05:07,180 --> 00:05:14,290
on Windows Systems that bad file is Runnable, but this will get triggered by any antivirus program

75
00:05:14,290 --> 00:05:21,070
out there, since it is just a basic code that executes commands, it will get triggered by any antivirus.

76
00:05:21,670 --> 00:05:23,250
We want to convert it to Yuxi.

77
00:05:23,320 --> 00:05:24,770
And how are we going to do that?

78
00:05:24,820 --> 00:05:32,740
Well, we can go to Firefox and there is a really good tool that is used to convert bad programs to

79
00:05:32,740 --> 00:05:36,520
XY files and we're going to download it from GitHub.

80
00:05:37,700 --> 00:05:47,690
So if I type right here, bet to easy or be to get here and they navigate right here to the first link.

81
00:05:49,110 --> 00:05:55,500
I copied it all we can see the tool is an actual zip file, so we must unzip it as soon as we download

82
00:05:55,500 --> 00:05:55,740
it.

83
00:05:55,800 --> 00:05:58,350
So let's go right here, go to the second terminal.

84
00:05:58,840 --> 00:06:07,200
Let's install the tool on our desktop and I'll type git clone and then paste the link to the top.

85
00:06:08,270 --> 00:06:13,580
After the tool is installed, we can change the directory to the tool, and if I type out us here is

86
00:06:13,580 --> 00:06:21,170
Debat to Yingzi Converter as a zip file to unzip it, we can type the command and zip and then bet to

87
00:06:21,180 --> 00:06:29,230
Yuxi and it will unzip our file, clear the screen type alerts and we will get an exit file.

88
00:06:29,720 --> 00:06:30,020
Hmm.

89
00:06:30,420 --> 00:06:34,540
Is this a problem if we know that files can only be run inside of windows.

90
00:06:34,850 --> 00:06:38,920
But remember we have a wine program installed.

91
00:06:39,680 --> 00:06:42,710
Let's get a quick reminder of what wine is.

92
00:06:43,250 --> 00:06:47,870
Wine is a program that allows us to execute Windows files inside of Linux.

93
00:06:48,380 --> 00:06:50,030
So let's give it a try.

94
00:06:50,120 --> 00:06:56,660
If I type wine and then the program name press enter, let's give it a few seconds.

95
00:06:57,170 --> 00:06:58,280
And here it is.

96
00:06:58,520 --> 00:07:02,900
It open the program so we must set up the program outside the language to be English.

97
00:07:02,900 --> 00:07:05,600
Click on OK, I accept the agreement.

98
00:07:05,600 --> 00:07:07,610
Of course we're not going to read all of this.

99
00:07:08,090 --> 00:07:14,810
Then click on next click once again on next and click right here or next after it.

100
00:07:14,840 --> 00:07:16,970
On The Last Step, we can click on Install.

101
00:07:17,390 --> 00:07:21,500
We want to check right here, Launchpad to Yuxi Convertor and click on Finish.

102
00:07:22,340 --> 00:07:23,270
And here it is.

103
00:07:23,270 --> 00:07:25,620
It opened our bet to convert.

104
00:07:26,240 --> 00:07:32,330
So now what we want to do is this payload that we generated, which is inside of this location as a

105
00:07:32,330 --> 00:07:33,440
dot file.

106
00:07:33,770 --> 00:07:40,370
We want to convert to XY using this program, so we must open it inside of this program first.

107
00:07:40,550 --> 00:07:43,820
To do that, we want to go on to file and then open.

108
00:07:44,570 --> 00:07:46,790
Now, we must go to this location right here.

109
00:07:47,060 --> 00:07:48,440
So let's click on this arrow.

110
00:07:48,830 --> 00:07:55,910
Let's go to the location, find var, then find it.

111
00:07:57,220 --> 00:07:58,660
Then the next part is.

112
00:07:59,130 --> 00:08:02,200
So we must go and find the foil program, here it is.

113
00:08:02,530 --> 00:08:08,460
And inside of the output and source is our power payload that bet.

114
00:08:08,830 --> 00:08:13,300
Let's double click it and it will open the code of our payload.

115
00:08:13,630 --> 00:08:15,130
Here it is right here.

116
00:08:16,080 --> 00:08:22,550
Now we have some of the options right here that we can change if we want to, you can add an icon by

117
00:08:22,560 --> 00:08:28,230
checking this and then selecting the icon from your system, but we are not going to be doing that at

118
00:08:28,230 --> 00:08:28,780
the moment.

119
00:08:29,280 --> 00:08:33,810
Another thing that you can do, you can set the password, you can change the working directory, you

120
00:08:33,810 --> 00:08:41,310
can change the format to be something out of these four and will select to be 64 bit windows invisible

121
00:08:41,490 --> 00:08:43,930
because I am attacking a 64 bit Windows machine.

122
00:08:44,820 --> 00:08:48,060
You can request administrator privileges at the wrong time.

123
00:08:48,060 --> 00:08:52,530
So this is sometimes good if you want your target to run the payload as an administrator.

124
00:08:52,540 --> 00:08:57,900
But keep in mind, once they Double-Click the program, if this was selected, then they will have to

125
00:08:57,900 --> 00:08:59,570
input the administrator password.

126
00:08:59,580 --> 00:09:02,950
So that is just another step before they actually execute the program.

127
00:09:03,400 --> 00:09:05,550
We are not going to be checking that right now.

128
00:09:05,910 --> 00:09:08,140
Another thing that you can do is this Packer.

129
00:09:08,190 --> 00:09:14,600
You can enable the OpEx compression, but enabling this will just trigger more and more antivirus software

130
00:09:14,640 --> 00:09:20,480
because up is a really known Packer, and it was used a lot to pack malicious programs.

131
00:09:21,120 --> 00:09:23,610
So there is nothing really here that we want to change.

132
00:09:24,720 --> 00:09:30,540
And once you set all of the settings to your liking, you can go right here on the convertor and then

133
00:09:30,690 --> 00:09:38,080
on convert here, you want to select the name of your Paillot and we can just call it P.

134
00:09:38,160 --> 00:09:39,060
S Paillot.

135
00:09:39,780 --> 00:09:41,430
Standing for power shall paillard.

136
00:09:41,610 --> 00:09:44,510
It is an E format so we can just save it.

137
00:09:45,120 --> 00:09:49,970
And if I click on OK, it will create our file, as we can see down here.

138
00:09:50,490 --> 00:09:51,840
Process finished.

139
00:09:52,820 --> 00:09:55,260
Here we can see where our file has been saved.

140
00:09:55,280 --> 00:09:59,690
It is in far labor, Braille output source and then Paillard got.

141
00:10:01,380 --> 00:10:02,230
OK, great.

142
00:10:02,670 --> 00:10:08,210
Now, the next thing that we must do to check out whether this bailout works is to run a massive council

143
00:10:08,460 --> 00:10:14,670
and while it is running a massive council, what I'm going to do is I'm going to navigate to the bail

144
00:10:14,670 --> 00:10:15,300
directory.

145
00:10:15,300 --> 00:10:24,000
So I will open a folder, I will go to filesystem, then go right here to LA, navigate to live all

146
00:10:24,000 --> 00:10:24,570
the way down.

147
00:10:24,570 --> 00:10:25,650
I will go to Whale.

148
00:10:27,320 --> 00:10:28,340
Then output.

149
00:10:29,270 --> 00:10:36,940
Source and here is our partial payload that acce let us keep it to our target desktop.

150
00:10:37,280 --> 00:10:41,150
So I will just drag it onto the desktop of my target machine.

151
00:10:41,150 --> 00:10:43,600
And here is our partial payload data.

152
00:10:44,780 --> 00:10:52,550
If I go right here, open the metal framework and I go back to the first copy this metal plate, resourceful,

153
00:10:53,360 --> 00:10:54,680
copy its entire path.

154
00:10:56,150 --> 00:11:03,260
And type resource and then paste this for this is going to do is it will set up the listener automatically

155
00:11:03,530 --> 00:11:06,020
that is made for this exact payload.

156
00:11:06,170 --> 00:11:12,140
As we can see right here, it started reverse DCP Handler on this IP address on this port.

157
00:11:12,140 --> 00:11:14,570
And it's doing all of that in the background.

158
00:11:15,110 --> 00:11:18,500
So all I'm left to do is execute this payload.

159
00:11:19,190 --> 00:11:24,050
Now, in this case, we can see the control of this payload, which is something that we don't really

160
00:11:24,050 --> 00:11:24,410
want.

161
00:11:24,410 --> 00:11:30,410
It only showed for a brief few seconds, but that is something that you can change inside of your back

162
00:11:30,410 --> 00:11:31,660
to XY converter.

163
00:11:31,910 --> 00:11:33,860
So let's wait for a few seconds.

164
00:11:33,860 --> 00:11:37,430
And in just a few seconds, we should receive Dimitar better session.

165
00:11:38,210 --> 00:11:44,480
And remember why it is taking so long is because inside of the whale we said 20 seconds to wait before

166
00:11:44,480 --> 00:11:45,730
establishing connections.

167
00:11:45,740 --> 00:11:46,670
And here it is.

168
00:11:46,880 --> 00:11:49,550
We got the interpreter session one opened.

169
00:11:51,000 --> 00:11:56,310
Let's see whether we can execute command, so if I clear the screen type sessions, we have one session

170
00:11:56,310 --> 00:12:03,260
active and I will enter it using the dash I command get user ID and we are on that target machine.

171
00:12:03,450 --> 00:12:05,730
We can enter the shell as usual type.

172
00:12:05,730 --> 00:12:06,210
Who am I?

173
00:12:06,960 --> 00:12:10,860
We are this account and everything seems to work great.

174
00:12:11,850 --> 00:12:17,430
So we managed to create another type of payload that wasn't the same as in the previous video.

175
00:12:17,760 --> 00:12:24,960
And to just prove that I can go right here to the virus total and we can upload the payload to see how

176
00:12:24,960 --> 00:12:29,580
many antivirus is managed to detect it with a regular massive one on payload.

177
00:12:29,850 --> 00:12:35,830
We got about 53 or 54 detection rate out of 60 antivirus.

178
00:12:36,090 --> 00:12:38,160
Let's see how much we get right now.

179
00:12:38,370 --> 00:12:41,160
Let's go and find it the payload.

180
00:12:41,160 --> 00:12:45,870
And it is once again in slash bar, slash lip.

181
00:12:47,650 --> 00:12:48,160
Bail.

182
00:12:49,150 --> 00:12:54,670
In the output folder and in the source folder, here it is, I will select it, confirmed the upload,

183
00:12:54,880 --> 00:12:59,440
and we should have a much slower detection rate than with the regular NSF one on Paillot.

184
00:12:59,980 --> 00:13:05,290
And once again, with the usage of this battery converter, you can change some of the settings and

185
00:13:05,290 --> 00:13:09,150
you might even get lower detection rate, but it will never be zero.

186
00:13:09,340 --> 00:13:09,740
Why?

187
00:13:10,150 --> 00:13:17,290
Well, if I just go right here and I delete the entire code and type some random code which doesn't

188
00:13:17,290 --> 00:13:24,100
do pretty much anything, and if I were to convert this code to XY, it will still get detected by a

189
00:13:24,100 --> 00:13:25,510
lot of antivirus vendors.

190
00:13:26,050 --> 00:13:30,550
You might be asking why, since this right here is not any type of malicious code?

191
00:13:30,880 --> 00:13:37,210
Well, that is because we are using this tool back to converter and some antivirus vendors find files

192
00:13:37,210 --> 00:13:41,380
malicious, even though they might not be just because you converted the bad file.

193
00:13:41,380 --> 00:13:44,170
To see that is pretty much the only reason.

194
00:13:44,530 --> 00:13:50,230
And we can see right here, we get the much slower detection rate than with the regular MSF one on Paillot.

195
00:13:50,350 --> 00:13:52,960
We get twenty seven out of sixty seven.

196
00:13:54,150 --> 00:14:00,390
So we managed to bypass about 20 to 30 more anti viruses just by creating a powerful payload with,

197
00:14:00,390 --> 00:14:03,490
well, instead of using a regular MSF one payload.

198
00:14:04,290 --> 00:14:04,770
Great.

199
00:14:04,800 --> 00:14:06,240
So what did we learn in this video?

200
00:14:06,300 --> 00:14:11,340
Well, we covered this tour called well, you can experiment with other options as well, and you might

201
00:14:11,340 --> 00:14:13,120
get even lower detection rate.

202
00:14:13,710 --> 00:14:18,810
We also covered this back to see that we can use to convert the backfills to EXI.

203
00:14:19,110 --> 00:14:24,720
And we also know that no matter what type of how we convert to it will still get detected by some of

204
00:14:24,720 --> 00:14:28,200
the antivirus just because we used to like this.

205
00:14:29,160 --> 00:14:35,140
OK, great, now that we covered this, we can proceed with our payload in the next video.

206
00:14:35,940 --> 00:14:36,510
See you there.